Sceptically passionate on Enterprise Mobility, AutoID, WLANs, OSes and other technical stuff I happen to work with

JavaScript is powerful indeed :)

JavaScript just got a promotion in my esteem. I knew this stuff existed, but never seen one live until today. Now, I’m a lucky recipient of a JavaScript Virus! (well, not a real virus, but a downloader, nevertheless…). Read on for more details

It all started with this message on GMail, that looked really funky (note the ZIP attachment).

I haven’t ordered anything on those dates. Moreover, I doubt FedEx emails originate from some fishy Argentinian domains (no offense, Argentina, but I live on the other side of the globe) or sites like websitewelcome.com.

So, what one security-cautious person do next – download the ZIP file, of course! And instantly upload it to VirusTotal.com.

Now that we know what we’re dealing with, we can open the ZIP file. Inside there’s a single 2KB file with .doc.js extension, which will execute JavaScript when ran. Examining the JS file shows a typical downloader script – a single text variable and a whole bunch of functions that construct a real JS script from it piece by piece and download some nasty stuff I don’t even want to look into. Here’s a snippet.

Having the URL and code split across multiple functions (that are not even declared in the sequence they are executed) really helps avoiding heuristic detection, as the only way to figure out what this code does is to run it (he-he). As you can see it is indeed very efficient – 38 out of 54 engines on VirusTotal did not detect a threat – nearly 75% miss ratio! In addition, the message was not flagged as suspicious neither by GMail, nor by any other mail service in the chain (I have a chain of email accounts forwarding messages to each other).

So, here you go – now you know one when you see it. 🙂 If you want to play with it – best way to get one would be mailing to that address in the header 🙂